security of XAMPP

Problems with the Windows version of XAMPP, questions, comments, and anything related.

security of XAMPP

Postby feck » 15. November 2012 15:56

I've just noticed after installing XAMPP for the first time in months that in phpMyAdmin users section that there are quite a few other users including:
Image
I came across this after googling XAMPP security and found a tutorial on some extra security considerations around XAMPP http://robsnotebook.com/xampp-security-hardening, telling me that user pma is pre-installed and doesn't require a password, which neets to be changed in the config.inc.php file. Now this tutorial was from 2007, and i was wondering what the exact implications of this are? Whilst writing this post i noticed that from the Users overview panel in phpMyAdmin above that it seemed that i can just make up a name and leave the password blank and still log in, which i did and was successful. As a complete starter in XAMPP, again what are the implications of this, does this leave my system open to abuse and how do i change it?

Also what other potential security holes should i be looking for and plugging?
feck
 
Posts: 3
Joined: 21. June 2012 15:56
XAMPP Version: 5.6.3
Operating System: Windows 7 64bit

Re: security of XAMPP

Postby JonB » 19. November 2012 23:50

If you don't forward ports 80, 443, or 3306 (http,https, and MySQL) on your router and your machine is not directly connected to internet, there are no securitry issues to button up really.

Generally you should have one MySQL user per 'type' of application. The 'root' user should be secured on all hosts. MySQL defines users in terms of host connections. So there is a 'root' @ 'localhost', which has a separate set of permissions/privileges from 'root' @ '%' any host (which should be narrower probably) or 'root' @ 'xxx.yy.zz.nn' or 'root' @ 'host.domain.tld' (meaning 'root' logging in FROM those hosts) EACH has its own entry in the mysql/user table - which means they are treated separately. 'pma' is a special user for phpMyAdmin. If you examine the 'Any' entries, you should see they have 'no' privileges.

GO to Database>mysql>table>user and you can browse what is going on...

Code: Select all
SQL result

Host: localhost
Database: mysql
Generation Time: Nov 19, 2012 at 11:45 PM
Generated by: phpMyAdmin 3.5.2 / MySQL 5.5.25a
SQL query: SELECT * FROM `user` LIMIT 0, 30 ;
Rows: 7 Host    User    Password    Select_priv    Insert_priv    Update_priv    Delete_priv    Create_priv    Drop_priv    Reload_priv    Shutdown_priv    Process_priv    File_priv    Grant_priv    References_priv    Index_priv    Alter_priv    Show_db_priv    Super_priv    Create_tmp_table_priv    Lock_tables_priv    Execute_priv    Repl_slave_priv    Repl_client_priv    Create_view_priv    Show_view_priv    Create_routine_priv    Alter_routine_priv    Create_user_priv    Event_priv    Trigger_priv    Create_tablespace_priv    ssl_type    ssl_cipher    x509_issuer    x509_subject    max_questions    max_updates    max_connections    max_user_connections    plugin    authentication_string
localhost   root   *1148F7B52BFDDB63C95CC73056410AD3A70F   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y      [BLOB - 0 B]   [BLOB - 0 B]   [BLOB - 0 B]   0   0   0   0      [BLOB - 0 B]
linux   root      Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y   Y      [BLOB - 0 B]   [BLOB - 0 B]   [BLOB - 0 B]   0   0   0   0      [BLOB - 0 B]
localhost      *61843C6664DA1312B5F4716ED62152FF4B20   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N      [BLOB - 0 B]   [BLOB - 0 B]   [BLOB - 0 B]   0   0   0   0      [BLOB - 0 B]
linux         N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N      [BLOB - 0 B]   [BLOB - 0 B]   [BLOB - 0 B]   0   0   0   0      [BLOB - 0 B]
localhost   pma      N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N      [BLOB - 0 B]   [BLOB - 0 B]   [BLOB - 0 B]   0   0   0   0      [BLOB - 0 B]
%   jonb   *05363F68CCCC3F775C0AF7541DA7E682E048   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N      [BLOB - 0 B]   [BLOB - 0 B]   [BLOB - 0 B]   0   0   0   0      [BLOB - 0 B]
localhost   ODBC      N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N   N      [BLOB - 0 B]   [BLOB - 0 B]   [BLOB - 0 B]   0   0   0   0      [BLOB - 0 B]



You can also read what this guy :mrgreen: wrote other XAMPp security stuff:
http://bravo.newnetenterprises.com/word ... -security/

Little has changed since I wrote that... But I see I should add a section on MySQL users.

Good Luck
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
XAMPP Version: 1.8.3-2
Operating System: Windows XP/7 - Fedora 15 1.7.7


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 55 guests